Hello, When I authenticate in PEAP, my ldap attributes (ex Tunnel-Private- Group-Id) aren't send to the client, why ? Here is my debug: rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusClass as RADIUS attribute Class = 0x4f553d61646d696e3b rlm_ldap: LDAP attribute radiusClass as RADIUS attribute Class = 0x4f553d61646d696e3b rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = "1" rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel- Type:0 = VLAN WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user mdelavau authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_prof] returns ok ++- group returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler ++[eap] returns ok +- entering group session expand: /opt/freeradius/radium/var/log/radius/radutmp -> /opt/ freeradius/radium/var/log/radius/radutmp expand: %{User-Name} -> mdelavau@univ-lr.fr ++[radutmp] returns ok Login OK: [mdelavau@univ-lr.fr/<via Auth-Type = EAP>] (from client heros59 port 0) +- entering group post-auth expand: /opt/freeradius/radium/var/log/radius/radacct/%{Client-IP- Address}/reply-detail-%Y%m%d -> /opt/freeradius/radium/var/log/radius/ radacct/10.14.0.59/reply-detail-20080414 rlm_detail: /opt/freeradius/radium/var/log/radius/radacct/%{Client-IP- Address}/reply-detail-%Y%m%d expands to /opt/freeradius/radium/var/log/ radius/radacct/10.14.0.59/reply-detail-20080414 expand: %t -> Mon Apr 14 10:04:29 2008 ++[reply_log] returns ok } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 2 Class = 0x4f553d61646d696e3b Tunnel-Private-Group-Id:0 = "1" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "mdelavau" PEAP: Processing from tunneled session code 0x730f30 2 Class = 0x4f553d61646d696e3b Tunnel-Private-Group-Id:0 = "1" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "mdelavau" PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS ++[eap] returns handled Sending Access-Challenge of id 233 to 10.14.0.59 port 1645 EAP-Message = 0x010a002b1900170301002091080b47d0c51811b6674b7a649bd231e1f5fea643dd96b28362ea273fe51553 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe5e74631eded5f77803ca60988c6d413 Finished request 22. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 10.14.0.59 port 1645, id=234, length=243 User-Name = "mdelavau@univ-lr.fr" Framed-MTU = 1400 Called-Station-Id = "0012.44bd.0b03" Calling-Station-Id = "0019.e304.476e" Cisco-AVPair = "ssid=eduroam" WISPr-Location-Name = "CRI Arpae" Service-Type = Authenticate-Only Message-Authenticator = 0x8cefe9357b38e5f0a52c291945837712 EAP-Message = 0x020a002b19001703010020dc122ffd1ad0290d995b344b65adbda0824e52829616cca6dfb590d9b510b732 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "36654" NAS-Port = 36654 State = 0xe5e74631eded5f77803ca60988c6d413 NAS-IP-Address = 10.14.0.59 NAS-Identifier = "heros59" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: Looking up realm "univ-lr.fr" for User-Name = "mdelavau@univ-lr.fr " rlm_realm: Found realm "univ-lr.fr" rlm_realm: Adding Stripped-User-Name = "mdelavau" rlm_realm: Proxying request from user mdelavau to realm univ-lr.fr rlm_realm: Adding Realm = "univ-lr.fr" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: EAP packet type response id 10 length 43 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Success rlm_eap: Freeing handler ++[eap] returns ok Login OK: [mdelavau@univ-lr.fr/<via Auth-Type = EAP>] (from client heros59 port 36654 cli 0019.e304.476e) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 234 to 10.14.0.59 port 1645 MS-MPPE-Recv-Key = 0xbf9d41342546813406854e35cabdf79521b33e2c316aff8d599716484cc18c20 MS-MPPE-Send-Key = 0xaff6c3d06041e693b8acb1067d382699f150da706b799e4960ab82be1f25a96a EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "mdelavau"
Thanks, it works. The attributes are send but the client (Aironet 1130) doesn't use them: Sending Access-Accept of id 1 to 10.10.10.200 port 53761 Class = 0x4f553d7765625f76706e3b Tunnel-Private-Group-Id:0 = "2" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Someone use this capability ? how ? Le 14 avr. 08 à 11:06, Alan DeKok a écrit :
Marc Boisis-Delavaud wrote:
Hello,
When I authenticate in PEAP, my ldap attributes (ex Tunnel-Private-Group-Id) aren't send to the client, why ?
See use_tunneled_reply in eap.conf.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Merci de penser à la planète! N'imprimez pas inutilement les documents transmis par courrier électronique. ----------------------------------- Marc Boisis-Delavaud tel: 05 46 45 82 14 Centre de Ressources Informatiques Université de La Rochelle -----------------------------------
You need to buy a wireless LAN controller as well. Ivan Kalik Kalik Informatika ISP Dana 14/4/2008, "Marc Boisis-Delavaud" <mdelavau@univ-lr.fr> piše:
Thanks, it works. The attributes are send but the client (Aironet 1130) doesn't use them:
Sending Access-Accept of id 1 to 10.10.10.200 port 53761 Class = 0x4f553d7765625f76706e3b Tunnel-Private-Group-Id:0 = "2" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN
Someone use this capability ? how ?
Le 14 avr. 08 ŕ 11:06, Alan DeKok a écrit :
Marc Boisis-Delavaud wrote:
Hello,
When I authenticate in PEAP, my ldap attributes (ex Tunnel-Private-Group-Id) aren't send to the client, why ?
See use_tunneled_reply in eap.conf.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Merci de penser ŕ la plančte! N'imprimez pas inutilement les documents transmis par courrier électronique. ----------------------------------- Marc Boisis-Delavaud tel: 05 46 45 82 14 Centre de Ressources Informatiques Université de La Rochelle -----------------------------------
Is it normal freeradius send attributes before access-accept ? Sending Access-Challenge of id 179 to 10.14.0.59 port 1645 Class = 0x4f553d61646d696e3b Tunnel-Private-Group-Id:0 = "1" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6c8328596c8131bb1c60acbabc365bde ... Le 14 avr. 08 à 19:05, A.L.M.Buxey@lboro.ac.uk a écrit :
Hi,
You need to buy a wireless LAN controller as well.
not at all - you can return VLAN tunnel attributes to an 1130 aironet AP - but it needs to be configured to understand the VLANs and run a version of the firmware that can do it.
use_tunnelled_reply is definately needed
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Merci de penser à la planète! N'imprimez pas inutilement les documents transmis par courrier électronique. ----------------------------------- Marc Boisis-Delavaud tel: 05 46 45 82 14 Centre de Ressources Informatiques Université de La Rochelle -----------------------------------
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Ivan Kalik -
Marc Boisis-Delavaud